Health Information Systems in Healthcare: HIPAA

Information Systems in Healthcare

Advancements in technology has placed the world at our fingertips. These advancements provide us the capability to share information in real-time and affords us the ability to document everything we do or come into contact with in our daily life. There are circumstances in life when being able to capture these moments are beneficial, such as snapping a picture of your baby’s first steps then sharing it on social media for your friends and family members to view as well. We cross an ethical line as healthcare individuals however, when we utilize this technology to our benefit and at the cost of a patient’s right to privacy. Throughout this paper HIPPA and regulatory requirements as well as a scenario in which a patient’s right to privacy is violated will be discussed. Included will be recommendations on what should be done to correct this violation in addition to advantages and disadvantages technology can provide to healthcare. In order to understand these things and how they corelate to the use of technology in healthcare, we first must know the law as outlined by the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA, Legal, & Regulatory Discussion

Originally passed by the United States Congress in 1996, HIPAA was updated in 2003 adding the Privacy Rule, requiring that an individual’s personal health information be protected and remain confidential (United States, 2004). As defined in 45 CFR § 160.103, this rule applies to healthcare providers, health insurance plans and healthcare clearinghouses. Although the Privacy Rule of HIPAA does not stipulate how cellphones and social media should be utilized in the healthcare setting, it does require that electronic protected health information (ePHI) be safeguarded. Since this is difficult to achieve with each employee having their own personal devices, many organizations maintain that any device or outlet that puts the protected health information of patients at risk for being inappropriately accessed should not be utilized in the healthcare setting. But what is considered protected health information?

According to the Privacy Rule of HIPAA, protected health information (PHI) is any information that can be used to identify an individual including name, date of birth, social security number, address and medical record numbers. The Privacy Rule goes even further to include email address, phone number and full-face photographic images as well as 10 additional items it considers to be unique to an individual (United States, 2004). Should an employee of one of the entities mentioned be negligent and fail to protect PHI the entity may choose to take steps to rectify the matter with the potential of terminating the employee. In the event HIPAA law is deliberately violated due to an individual willfully sharing PHI, the Depart of Justice could decide that the person face criminal penalties including fines upwards of $250,000 with the possibility of having to pay restitutions to the victim involved as well. Therefore, it is the responsibility of the health entity to educate its employees on the necessary steps to protect a patient’s information and ensure that those employees comply with the HIPPA rules and regulations set forth by Congress. Nevertheless, an employee has the capability to disregard those rules and choose to act on their own freewill. An example of this would be the following scenario.

Also see:

Importance of HIPAA: Keeping Health Information Private

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Scenario Ending

You go on Facebook, on your day off, and talk about the night you had at work and how you didn’t really feel as bad having to miss the concert, because you actually got to meet Jerod in person and even “Got his number!” You then post a picture of Jerod on Facebook and Instagram, figuring that most of your contacts would never recognize him anyway. It’s your day off and your personal time, so no harm, no foul, right?

In this scenario the nurse chooses to deliberately disregard HIPAA law by posting the patient’s name and picture to social media outlets, Facebook and Instagram. Doing this means she has shared protected health information which identifies the patient. The nurse see’s nothing wrong with posting the information on social media because she believes she is only sharing it with her close contacts. Once posted on a public platform however, the information is now considered to be part of the public domain and she loses control of how the information is shared (Kouri, Rissasen, Weber, & Park, 2017). This action is rationalized even further by the nurse in her thinking that she is not at her job and on her personal time, so she is able to do whatever she wants. As a healthcare professional though, society holds her to a standard that she is always ‘on duty’ and by posting PHI she has compromised the privacy of the patient (Jones & Hayter, 2013).


The deliberate action of the nurse to share PHI of a patient falls on the healthcare facility she works for. In order to correct this wrongdoing administrators of the facility should perform an internal investigation to verify in what manner the PHI was obtained and by whom. The individual responsible for stealing the information should be terminated as the sharing of this information was deliberate and not an act of simple negligence. To prevent further sharing, the individual should be requested to remove the information from all social media platforms and delete the evidence from her smartphone. Willfully sharing the PHI of the patient was a criminal act and to ensure the integrity of the healthcare facility, this incidence should be made available to the Department of Justice so it can be fully investigated and determine if restitutions should be paid to the patient, who is a well-known celebrity.

To prevent an incidence like this from happening again, healthcare employees should not be allowed to utilize their own personal devices while caring for patients. The healthcare facility may consider purchasing cellular devices for inhouse use so team members can still communicate instantly but the software should be encrypted and secured with passwords specific to the individual who has the device, much like one will need when logging in to the computer system. In order to guarantee that employees do not forget the importance of HIPAA compliance, the facility should also implement yearly mandatory continuing education courses. By doing so, individuals would be reminded that they are the first line of defense for ensuring patients personal health information is protected.

Advantages and Disadvantages

The use of social media in the realm of healthcare does have advantages when it is utilized in a professional and educational manner. Twitter, a social media platform where individuals post short messages, also known as ‘tweeting,’ has been used for public research and for sharing health information related to healthy habits (Jones & Hayter, 2013). The research aspect comes from gathering user data based on searches for specific health related information. Nurse researchers, as well as other professionals, are able to collect these figures and determine if a lack of education exists in the community regarding certain illnesses. Should a lack of knowledge be identified, social media can then work by spreading the information to a vast number of individuals, especially those who are searching for the knowledge. Smartphones as well provide advantages such as being able to immediately call a physician while in a patient’s room instead of having to walk to the nurse’s station. While in the room, the nurse is able to ask the patient any questions his or she may have forgot to ask, preventing a delay in care provided. Unfortunately, the use of social media and smartphones in the healthcare setting come at a risk.

While there are advantages to utilizing this technology, there are also disadvantages. For instance, smartphones are handheld devices that can easily be laid down and forgotten about. In our scenario we read that the nurse placed her phone and the bedside table and forgot about it. By not having the capability to secure the device to oneself, the smartphone as well as any information stored within it is at risk for theft. Should an individual be able to hack into the phone, they would have access to a multitude of PHI, placing the patients they serve at risk for identification. Another disadvantage is the possibility of transmitting PHI via text message. It would be tempting for the nurse to simply text PHI to a physician when seeking orders for a patient. Those messages, however, are sent and received through unsecured networks which again leaves PHI accessible to individuals who are able to hack into the networks.


The use of technology in the healthcare realm today provides advantages and disadvantages that should be carefully evaluated when it comes to the Privacy Rule of HIPAA rules and regulations. The technology of social media and smartphones provides easier access to gathering data, sharing educational information and communicating with other members of the healthcare team. Technology also puts the privacy of individuals receiving care at risk when individual’s do not take safeguards to protect the information to the upmost of their ability. As healthcare members we must remember that we are the first line of defense when it comes to PHI. Some things we are able to do to secure PHI is logging off computers, sending messages through encrypted systems, and not posting anything about patient’s or their care to social media. Securing PHI can also be as simple as turning over a sheet of paper that has PHI on it, so no one is able to view the information. Should any member choose to blatantly disregard the rules set forth by HIPAA and share information they are privy to, that individual is subject to the criminal justice system and will be held responsible for their actions.


  • Jones C, Hayter M. Editorial: social media use by nurses and midwives: a ‘recipe for disaster’ or a ‘force for good’?. J Clin Nurs. 2013;22(11-12):1495–1496. doi:10.1111/jocn.12239
  • Kouri, P., Rissasen, M.-L., Weber, P., & Park, H.-A. (2017). Competences in Social Media Use in the Area of Health and Healthcare. Forecasting Informatics Competencies for Nurses in the Future of Connected Health, 183–193. doi: 10.3233/978-1-61499-738-2-183
  • United States. (2004). The Health Insurance Portability and Accountability Act (HIPAA). Washington, D.C.: U.S. Dept. of Labor, Employee Benefits Security Administration.